Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM

R o m a n S c h l e g e lC i t y U n i v e r s i t y o f H o n g K o n g

K e h u a n Z h a n g

X i a o y o n g Z h o u

M e h o o l I n t w a l a

A p u K a p a d i a

X i a o F e n g Wa n gI n d i a n a U n i v e r s i t y B l o o m i n g t o n

N D S S S Y M P O S I U M 2 0 11報告人：張逸文

Soundcomber ：A Stealthy and Context-Aware Sound Trojan for

Smartphones

2

Outline

IntroductionOverviewContext-Aware Information CollectionStealthy Data TransmissionDefense ArchitectureEvaluationDiscussionConclusion

3

Introduction（ 1/2）

Full-fledged computing platformsThe plague of data-stealing malware

Sensory malware, ex： video camera, microphoneSecurity protections

Java virtual machines on Android Anti-virus Control installing un-trusted software

Tow new observations Context of phone conversation is predictable and fingerprinted Built-in covert channel

http://nakedsecurity.sophos.com/2010/07/29/android-malware-steals-info-million-phone-owners/

4

Introduction（ 2/2）

Main goal： Extract a small amount of high-value private data from phone

conversations and transmit it to a malicious partyMajor contributions：

Targeted, context-aware information discovery from sound recordings

Stealthy data transmission Implementation and evaluation Defensive architecture

5

Outline


6

Overview（ 1/2）

Assumptions work under limited privileges

Architectural overview

7

Overview（ 2/2）

Video Demo.

4392 2588 8888 8888

8

Outline


9

Context-Aware Information Collection（ 1/7）

monitor the phone state identify, record, analysis, extract

1. Audio recording2. Audio processing3. Targeted data extraction

using profiles

10


1. Audio recording When to record

Whenever the user initiates a phone call Recording in the background Determining the number called

intercept outgoing phone calls / read contact data the first segment compare with keywords in database relevant, non-overlapping keywords minimize necessary permissions

11


2. Audio processing decode file speech/tone recognition speech/tone extraction

12


a) tone recognition DTMF（ dual-tone multi-frequency）

signaling channel to inform mobile phone network of the pressed key aural feedback leaks to side-channel Goertzel’s algorithm

http://macao.communications.museum/chi/exhibition/secondfloor/moreinfo/2_6_1_DTMF.html

13


b. Speech recognition Google service： speech recognition functionality PocketSphinx Segmentation --- contain speech

sound

silence

n

jxn

thrk

thrk

gthr

n

k

kf

g

n

jsk

f

s

Recordin

0

Recordin

2

0

1

1

14


3. Targeted data extraction using profiles focus on IVRs （ Interactive Voice Response system）

Phone menus based on predetermined profiles

15


general profiles Speech signatures Sequence detection Speech characteristics

16

Outline


17

Stealthy Data Transmission

Processing centrally isn’t idealNo local processing on 1 minute recording → 94KBCredit card number → 16 bytesLegitimate, existing application with network accessA paired Trojan application with network access and

communication through covert channel

18

Leveraging third-party applications

Permission mechanism only restricts individual application Ex： using browser open URL http : // target ? number=N

drawback： more noticeable due to “foreground” Ads to cover

19

Covert channels with paired Trojans（ 1/4）

paired Trojans： Soundminer, DelivererInstallation of paired Trojan applications

Pop-up ad. Packaged app.

Covert channels on the smartphone Vibration settings Volume settings Screen File locks

20


Vibration settings any application can change the vibration settings communication channel： every time the setting is changed, the system

sends a notification to interested applications saving and restoring original settings at opportune times no permissions needed not leave any traces

21


Volume settings not automatically broadcasted set and check the volume alternatively 3 bits per iteration Sending at times

Reading at times miss a window

Screen invisible visible channel covert channel： screen settings prevent the screen from actually turning on permission WAKE_LOCK

11000

,......,0,ti

msktkt is

2iis ttkt

22


File locks exchange information through competing for a file lock signaling files, S1,……,Sm

one data file S1~Sm/2 for Soundminer , Sm/2+1~Sm for Deliverer

23

Outline


24

Defense Architecture

add a context-sensitive reference monitor to control the AudioFinger service

block all applications from accessing the audio data when a sensitive call is in progress

Reference Service RIL（ radio interface layer） enter/leave a sensitive state

Controller Embedded in the AudioFinger service Exclusive Mode / Non-Exclusive Mode

http://www.cnblogs.com/innost/archive/2011/01/15/1936425.html

25

Outline


26

Evaluation（ 1/2）

Experiment settings Environment Service hotline detection Tone recognition Speech recognition --- getrusage() Profile-based data discovery --- extracted high-value information Cover channel study --- bandwidth in bits per second Reference monitor

http://blog.csdn.net/rojay520/archive/2007/01/22/1489964.aspx

http://blog.csdn.net/rojay520/archive/2007/01/22/1489964.aspx

27

Evaluation（ 2/2）

Experiment results Effectiveness

Service hotline detection Tone/speech recognition Detection by anti-virus applications

Performance

28

Outline


29

Discussion

Improvements on attackDefenses

30

Conclusion

Soundminer, innocuous permissionsDefense on sensor data stealingHighlighted the threat of stealthy sensory malware

31

Thanks ~

32

Goertzel’s algorithm

http://ptolemy.eecs.berkeley.edu/papers/96/dtmf_ict/www/node3.html

33

Performance

Documents

Roman Schlegel City University of Hong Kong Kehuan Zhang Xiaoyong Zhou Mehool Intwala Apu Kapadia XiaoFeng Wang Indiana University Bloomington NDSS SYMPOSIUM